########################################################################### # LPRng - An Extended Print Spooler System # # Copyright 1988-1995 Patrick Powell, San Diego, CA # papowell@astart.com # See LICENSE for conditions of use. # ########################################################################### # MODULE: TESTSUPPORT/lpd.perms.proto # PURPOSE: prototype printer permissions file # lpd.perms,v 3.7 1998/03/24 02:43:22 papowell Exp ########################################################################## # Printer permissions data base ## # ## LPRng - An Enhanced Printer Spooler ## lpd.perms file ## Patrick Powell ## ## Access control to the LPRng facilities is controlled by entries ## in a set of lpd.perms files. The common location for these files ## are: /etc/lpd.perms, /usr/etc/lpd.perms, and /var/spool/lpd/lpd.perms. ## The locations of these files are set by the perms_path entry ## in the lpd.conf file or by compile time defaults in the src/common/defaults.c ## file. In addition to the global permissions files, each spool queue ## can also have a permissions file. This file is searched when information ## or operations on a specific printer is requested. ## ## Each time the lpd server is given a user request or carries out an unspooling ## operation, it searches to the perms files to determine if the action ## is ACCEPT or REJECT. The first ACCEPT or REJECT found terminates the search. ## If none is found, then the last DEFAULT action is used. ## ## Permissions are checked by the use of 'keys' and matches. For each of ## the following LPR activities, the following keys have a value. ## ## Key Match Connect Job Job LPQ LPRM LPC ## Spool Print ## SERVICE S 'X' 'R' 'P' 'Q' 'M' 'C' ## USER S - JUSR JUSR JUSR JUSR JUSR ## HOST S RH JH JH JH JH JH ## GROUP S - JUSR JUSR JUSR JUSR JUSR ## IP IP RIP JIP JIP RIP JIP JIP ## PORT N PORT PORT - PORT PORT PORT ## REMOTEUSER S - JUSR JUSR JUSR CUSR CUSR ## REMOTEHOST S RH RH JH RH RH RH ## REMOTEGROUP S - JUSR JUSR JUSR CUSR CUSR ## REMOTEIP IP RIP RIP JIP RIP RIP RIP ## CONTROLLINE S - CL CL CL CL CL ## PRINTER S - PR PR PR PR PR ## FORWARD V - SA - - SA SA ## SAMEHOST V - SA - SA SA SA ## SAMEUSER V - - - SU SU SU ## SERVER V - SV - SV SV SV ## LPC S - - - - - LPC ## AUTH V - AU AU AU AU AU ## AUTHTYPE S - AU AU AU AU AU ## AUTHUSER S - AU AU AU AU AU ## AUTHFROM S - AU AU AU AU AU ## AUTHSAMEUSER S - AU AU AU AU AU ## ## KEY: ## JH = HOST host in control file ## RH = REMOTEHOST connecting host name ## JUSR = USER user in control file ## CUSR = REMOTEUSER user from control request ## JIP= IP IP address of host in control file ## RIP= REMOTEIP IP address of requesting host ## PORT= connecting host origination port ## CONTROLLINE= pattern match of control line in control file ## FW= IP of source of request = IP of host in control file ## SA= IP of source of request = IP of host in control file ## SU= user from request = user in control file ## SA= IP of source of request = IP of host in control file FROM info ## SV= IP of source of request = IP of server host or server Localhost ## LPC= lpc command globmatched against values ## AU= Authorization check on transfer ## AUTH will match (true) if authenticated transfer ## AUTHTYPE will match authentication type ## AUTHUSER will match client authentication type ## AUTHFROM will match server authentication type and is NULL if not from server ## AUTHSAMEUSER will match client authentication to save authentication in job ## ## Match: S = globmatch, IP = IPaddress[/netmask], ## N = low[-high] number range, V= matching or compatible values ## SERVICE: 'X' - Connection request; 'R' - lpr request from remote host; ## 'P' - print job in queue; 'Q' - lpq request, 'M' - lprm request; ## 'C' - lpc spool control request; ## NOTE: when printing (P action), the remote and job check values ## (i.e. - RUSR, JUSR) are identical. ## NOTE: the HOST, USER, SAMEUSER and SAMEHOST checks always succeed ## when checking permissions for a spool queue; they are active only when ## checking permissions of a spooled job. ## ## The SAMEHOST match checks to see that one (or more) of the ## IP addresses of the host originating the request are the ## same as one or more of the IP addresses of the host whose ## hostname appears in the control file. ## The SERVER match checks to see if one (or more) of the ## IP addresses of the host originating the request are the ## same as one or more of the IP addresses of the server or ## match the localhost's IP address. Note that in IPV6, there may ## be multiple IP addresses for a single host. ## The FORWARD checks to see that all of the IP addresses of the ## IP addresses of the host originating the request are not the ## same as one or more of the IP addresses of the host whose ## hostname appears in the control file. This is equivalent to ## NOT SAMEHOST ## ## The special key letter=patterns searches the control file ## line starting with the (upper case) letter, and is usually ## used with printing and spooling checks. For example, ## C=A*,B* would check that the class information (i.e.- line ## in the control file starting with C) had a value starting ## with A or B. ## ## A permission line consists of list of tests and an a result value ## If all of the tests succeed, then a match has been found and the ## permission testing completes with the result value. You use the ## DEFAULT reserved word to set the default ACCEPT/DENY result. ## The NOT keyword will reverse the sense of a test. ## ## Each test can have one or more optional values separated by ## commas. For example USER=john,paul,mark has 3 test values. ## ## The Match type specifies how the matching is done. ## S = glob type string match ## Format: string with wildcards (*) and ranges ## * matches 0 or more chars ## [a-d] matches a or b or c or d ## Character comparison is case insensitive. ## For example - USER=th*s matches uTHS, This, This, Theses ## USER=[d-f]x matches dx, ex, fx ## ## IP = IP address and submask. IP address must be in dotted form. ## Format: x.x.x.x[/y.y.y.y] x.x.x.x is IP address ## y.y.y.y is optional submask, default is 255.255.255.255 ## Match is done by converting to 32 bit x, y, and IP value and using: ## success = ((x ^ IP ) & y) == 0 (C language notation) ## i.e.- only bits where mask is non-zero are used in comparison. ## For example - REMOTEIP=130.191.0.0/255.255.0.0 matches all address 130.191.X.X ## ## N = numerical range - low-high integer range. ## Format: low[-high] ## Example: PORT=0-1023 matches a port in range 0 - 1023 (privileged) ## ## The SAMEUSER and SAMEHOST are options that form values from information ## in control files or connections. The GROUP entry searches the user group ## database for group names matching the pattern, and then searches these ## for the user name. If the name is found, the search is successful. ## The SERVER entry is successful if the request originated from the current ## lpd server host. ## ## Note carefully that the USER, HOST, and IP values are based on values found ## in the control file currently being checked for permissions. The ## REMOTEUSER, REMOTEHOST, and REMOTEIP are based on values supplied as part ## of a connection to the LPD server, or on the actual TCP/IP connection. ## ## The LPC entry matches an LPC command. For example LPC=topq would match ## when an lpc topq command is being executed. You must still have the ## SERVICE=C entry to trigger this action. ## ## Note: the SERVICE=R and SERVICE=P both check the LPR actions ## of sending a job. However, SERVICE=R does it when the job is being ## sent to the LPD server. Some LPD (and LPR) implementations cannot ## handle a job being rejected due to lack of permissions, and sit in ## an endless loop trying to resend the job. This is the reason for ## the SERVICE=P check. You can accept the job for printing, and then ## have the SERVICE=P check remove the job. ## ## NOTE: if you do not have an explicit ACCEPT SERVICE=P or ## DEFAULT ACCEPT action then your print jobs will be accepted ## and then quietly discarded. ## ## Example Permissions ## ## # All operations allowed except those specifically forbidden ## DEFAULT ACCEPT ## ## #Reject connections from hosts not on subnet 130.191.0.0 ## # or Engineering pc's ## REJECT SERVICE=X NOT REMOTEIP=130.191.0.0/255.255.0.0 ## REJECT SERVICE=X NOT REMOTEHOST=engpc* ## ## #Do not allow anybody but root or papowell on ## #astart1.astart.com or the server to use control ## #facilities. ## ACCEPT SERVICE=C SERVER REMOTEUSER=root ## ACCEPT SERVICE=C REMOTEHOST=astart1.astart.com REMOTEUSER=papowell ## ## #Allow root on talker.astart.com to control printer hpjet ## ACCEPT SERVICE=C HOST=talker.astart.com PRINTER=hpjet REMOTEUSER=root ## #Reject all others ## REJECT SERVICE=C ## ## #Do not allow forwarded jobs or requests ## REJECT SERVICE=R,C,M FORWARD ## ## You can make sure that connections come from a privileged port. ## Default is to allow them from any port so that non-setuid programs # can do printing. # Totally RFC1179 #REJECT SERVICE=X NOT PORT=1-1023 #REJECT SERVICE=X NOT PORT=1-1023 # Privileged #REJECT SERVICE=X NOT PORT=721-731 # # allow root on server to control jobs ACCEPT SERVICE=C SERVER REMOTEUSER=root # allow anybody to get server, status, and printcap ACCEPT SERVICE=C LPC=lpd,status,printcap # meh lokale User erlauben ? ACCEPT SERVICE=C SERVER USER # VORSICHT, C bringt auch lprm-Rechte ! #ACCEPT SERVICE=C REMOTEHOST=enkur.hrz.tu-chemnitz.de # reject all others REJECT SERVICE=C # # allow same user on originating host to remove a job #ACCEPT SERVICE=M SAMEHOST SAMEUSER ACCEPT SERVICE=M REMOTEIP=134.109.2.0/255.255.255.0 SAMEUSER ACCEPT SERVICE=M REMOTEIP=134.109.72.0/255.255.255.0 SAMEUSER ACCEPT SERVICE=M REMOTEIP=134.109.132.0/255.255.255.0 SAMEUSER ACCEPT SERVICE=M REMOTEIP=134.109.200.0/255.255.255.0 SAMEUSER ACCEPT SERVICE=M SERVER USER=root,bmu,nobody # allow root on server to remove a job ACCEPT SERVICE=M SERVER REMOTEUSER=root ACCEPT SERVICE=M SERVER REMOTEUSER=nobody #ACCEPT SERVICE=M REMOTEHOST=enkur.hrz.tu-chemnitz.de #ACCEPT SERVICE=M REMOTEHOST=enkur.hrz.tu-chemnitz.de REMOTEUSER=nobody REJECT SERVICE=M # all other operations allowed DEFAULT ACCEPT